ETW_PMC_SUPPORT

The ETW_PMC_SUPPORT structure is created whenever
for an event logger when processor performance monitoring is enabled for it. Such
requests reach the kernel only through ZwSetSystemInformation or
NtSetSystemInformation when given the information
class SystemPerformanceTraceInformation (0x1F) with
an information buffer whose first dword is EventTraceProfileEventListInformation
(0x0E) or EventTraceProfileCounterListInformation
(0x0F).

Documentation Status

The ETW_PMC_SUPPORT structure is not documented.

Layout

The ETW_PMC_SUPPORT structure is 0x24 or 0x28 bytes in
32-bit and 64-bit Windows, respectively. Offsets, types and names in the table below
are from symbol files for the kernel in Windows 8 and higher.

The structure is always allocated from non-paged no-execute pool. Its address
is kept as the PmcData member of the
WMI_LOGGER_CONTEXT
that represents the event logger.

Each logger can nominate up to four counters. These are selected from the
KPROFILE_SOURCE enumeration that is defined in WDM.H and
lists the types of information that the HAL may keep about processor performance.
The profile sources are provided as the ProfileSources member of the
EVENT_TRACE_PROFILE_COUNTER_INFORMATION
that is the required input for the relevant case of ZwSetSystemInformation.

The ProcessorCtrs array has as many elements as there
can ever be processors. Each is a pointer to a HAL_PMC_COUNTERS structure
for which Microsoft’s symbol files do not provide type information. From the
NTOSP.H header in the Enterprise edition of the Windows Driver Kit (WDK) for Windows
10 version 1511, it is known that Microsoft defines the type PMC_HANDLE
for this pointer.

This page was created on 30th
November 2016 and was last
modified on 23rd November 2018.